A new Facebook scam allows your friend contacts to hack your account

Researchers spotted a new Facebook scam that could deceive also tech-savvy people and trick them into giving the attacker access to their Facebook accounts.

Don’t trust message apparently sent from any of your Facebook Friends asking for urgent help to recover their Facebook account.

Researchers have spotted a new Facebook scam that could deceive also tech-savvy people and trick them into giving the attacker access to their Facebook accounts.

The Facebook scam abuse “Trusted Contacts, ” a Facebook account recovery feature that sends access codes to a selected list of trusted user’s friends in order to help you regain access to their Facebook account in case you forget your password or lost access to your account.

The alert was launched by AccessNow, the attack chain starts with a message from the compromised account of one of the friends of the potential victim.

“The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s “Trusted Contacts” feature. states the public security alert.

“Trusted Contacts is a system created by Facebook to help you gain access to your account if you forget your password or your account is locked. If you enable Trusted Contacts, Facebook will ask you to identify three to five people. If you need access to your account, Facebook will send part of a code to each of these users that can be combined to gain access to your account.”

The attacker asks for victim’s help recovering his account, he tells the victim that he is as one of his Trusted Contacts on Facebook, and inform him that he will receive by mail a code for recovering their account.

The attacker, who is posing as a victims’ friend thanks to the compromised account, asks the victim to share the recovery code.

Then the attacker triggers the “I forgot my password” feature for the victim’s Facebook account and requests a recovery code.

At this point, the code received by the victim is not the key to unlock his friend’s account, but instead, the code requested by the attacker through the “Forgot my password” procedure.

If the victim shares the code with the attacker he will be able to take over the your account from you.

Below the step by step procedure:

You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list.

The attacker asks for your help recovering their account, explaining that you are listed as one of their Trusted Contacts on Facebook, and tells you that you will receive a code for recovering their account.

Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code.

In an effort to help, you send the code you’ve just received to your “friend.”

Using the code, the attacker can now steal your account from you, and use it to victimize other people.

This specific Facebook scam relies on the lack of victim’s knowledge about the Trusted Contacts feature.

“The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s Trusted Contacts feature,” states Access Now.

The Facebook scam can potentially target any users of the popular social network, but experts are seeing the majority of reports from human right defenders and activists from the Middle East and North Africa.”

“So far we’re seeing the majority of reports [falling victims to this new Facebook phishing scam] from human right defenders and activists from the Middle East and North Africa.”

We started this post explaining that the attack chain starts with a message sent by the attacker through a compromised account belonging to one of your friends.

Another scenario sees the Facebook scam initiated by your Facebook friend that intentionally trick you into handing over your Facebook account to him.

The best way to protect your account is to remain vigilant on every suspicious message including recovery emails from trusted friends.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.